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NETWORK SECURITY SYSTEM BASED ON PHYSICAL LOCATION 

•n,e present application claims the benefit of U.S. Provisional Application No. 
60/461,002, filed April 7, 2003, which is incorporated herein by reference. 

^.yi P THF TNVFNTIQri 
[002] -n^e present invention relates to a network security system and method for 

n.onitoring.txacking,andauthorizingthephysicallocationofanetworklogin. Uor. 

specifically, the present invention relates to a system that maintains records of authorized 
network users and monitors, tracks, and authorizes the physical location from which those users 
are authorized to access a computer network. 

[003] In many businesses employees are assigned O^ir own computer „«work access 

number exchange so that the employee can interface with *e ccmpany-s computer network, 
access number provides security to Ure company's network and p^vents Urose unauthorized to 
use dre nc«vork system from accessingthe network. However, tirere exist ei^umstances in 
which a user who does not have authorized access .o a company's nen»ork can maliciously break 
into network systems in order to gain unlawfld access to valuable information or to ruin network 
programs. This unfortunate problem is no. isolated to users outside the network; d>.re arc also 
instances in which employees, having authorization or stolen authorization, access the networic 
for the purpose of ruining network programs or obtaining proprietary information. 
[004] -nte problems ofmaintaining security for company network systems are well 

knownintheart One type of system that deals with network security problons is a firewall. A 
firewall is a set of related programs that protects the resources of a private n«work. or intranet. 
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from users outside the network and also controls what outside resources users of the network can 
access. A firewall is located at a network's gateway server, the network entrance point, and is 
often installed in a speciaUy designated computer that is separate from the network. Essentially, 
a firewall examines each network packet, or unit of data routed between an origin and a 
destination on the Intemet or other network, to determine if it should be forwarded to its 
destination. Firewall screeniog methods include, for example, screaiing requests to ensure the 
requests come from acceptable domain name and Intemet Protocol addresses. Mobile network 
users are allowed remote access to the network by the use of secure logon procedures and 
auth^tication. 

[005] In such systems, the focus of network security is on protecting the ?ietwork from 

users of other networks. That is, firewalls protect private networks from unauthorized external 
users of a company's network, such as the proverbial computer hacker. However, there is no 
security system or device that protects a private networic from an inside network user, such as a 
rogue employee. Because employees typically have authorization, that is, an authorized 
Usemame and Password, to access a company's network, the most potentially damagmg security 
threat is posed not from an external user over the Intemet but rather from within the company 
itself over the local area network, that is, "insider hacking." The prior art systems fail to prevent 
this type of security threat. 

[006] Thus, while the systems described above have been adequate for the applications 

for which they are designed, the need exists for an additional network security system which can 
prevent unlavvfol or unauthorized activities by an otherwise authorized network user. 

RTTMMARY TTTF. TNVRNTION 
[007] The present invention relates to a network security system and method for 

monitoring, tracking, and authorizing the physical location of a network login. More 
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specificaUy. the present invention relates to a system that maintains records of authorized 
networkusers and monitors, tracks, and authorizes thephysicallocationfrom 

are authorized to access a computer network. 

[008] Tht system of the present invention generally comprises a software component 

and a hardware component The software component monitors the access of network users and 
constructs a database which can include records of network login attempts and information such 
as, for example, the login ID. or Usemame and Password; the workstation name, including the 
IP/MAC address, and the physical location and time of the login. 

[009] The hardware component of the present invention includes a system for . 

determining the physical location fiom which a user attempts to comiect to the network. Hxe 
hardware component comprises a microprocessor that monitors the com^ection of data ports and 
generates a database which contains physical location infomiation asso<dated with the network 
computeas and related equipment 

[0010] When a user attempts to comiect or comiects to the network, the system ofthe 

present invention monitors the network security server, which gr^ts or denies initial access to 
the network, and records login information. SpecificaUy. the microprocessor ofthe hardware 
component. wHch continuously monitors the comrection of data ports, communicates the d^ 

port comiection information to a database. The software component looks up the physical 
location information on the database generated by the hardware component to determine. ^^^^ 

other things, whether the user is authorized to login from the particular physical location ofthe 
login. That is. the software component monitors the access granted by the security server to 
determine whetherapariicular user, whichhas been granted initial access, is authorized to 

from a particular location. If the user is not authorized to login from a particular login location. 
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thesoft™.ccoa^«mtakepKV«tiveactio.sud.asin^^^ 
of*eharfwar.comp<men,«,sh«do™*=>.ser-sda.ap<»t Tto con,»ne». also 
.Mintaim iecoids of netv™& login attempts in an event 

poll] other obj«=ts and features ofthepresert invention win becon^apparem&om the 

Mowing detaUed descripdon. considered in conjunction with the ac«»npanying drawing 
figures. It istobennders.ood.however.thatthe drawings are designed solelyfortbepurposerf 

mus.rationandnotasadefiniUonofte.inutsof.heinvendon,forwhichrei«enc.shanb^ 
made to the appended claims. 

[0012] to the drawing figures, which are not drawn io scale, and which are merely 

mus.«dveandv*ereinlikerefcrencecharactersdeno.esinnlare.e«e.ts^^^^ 

views: 

[0013] FIG. 1 is a schematic iUustrating the overaU system of the present invention. 

[001 4] FIG. 2 is a table illustrating the database of Data Port Comiection Information 

according to one embodiment of the present invention. 

[0015] -n^e present invention relates to a network security system and method for 

monitoring, tracldng, and authorizingthe physical location ofane^^^^^ 
specifically.thepresentinventionrelatestoasystemthatmaintainsreco^^^ 
^ersandmonitors.tracks.andauthorizesthephysicallocationfromwhichthos^ 

allowed to access a computer network. 

[00161 FIG- 1 i'^<=>' ^ of anetwork security system according to one 

emhodimemofthepresentinvenUon. in general, the sy«emal.owsane^vorkmanager. such as 

,company,to control network logins and thereby prevent or prohiMt breaches of network 
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security and/or track or monitor for investigative or administrative purposes the physical location 
from which users access the network. 

[0017] As seen in FIG. 1, the network security system of the present invention includes 

workstations, generally indicated as 101 through 1 10, that consist of a computer, vvdiich can be a 
desktop or laptop, and other related equipment Each workstation, 101 through 1 10, is associated 
with a specific physical location, generally indicated as 1 1 1 through 120, such as, for example, 
an office, floor of a building, portion of a floor of a building or department, or any other type of 
desired physical boundary. Workstations, 101 through 110, are coupled to each other via a local 
are^network (LAN), generally indicated as 150. More specifically, workstations. 101 through 
1 10. a security server, generally indicated as 152. ah admmistration tennmal, generally mdicated 
as 154, and the hardware component of the present invention are all m conmiunication via LAN 
150. 

[001 8] Network users, or employees, can be associated with one particular workstation, 

101 through 1 10, and one physical location, 1 11 through 120. or multiple woricstations and/or 
physical locations. As described m more detail below, a user at a workstation m a particular 
physical location enters a Usemame and Password. Security server 152. which can mclude one 
or more security servers, can be coupled to LAN 150 or directly to each workstation and grants 
or denies initial network access based upon the Usemame and Password entered by a user. 
[00 1 9] The hardware component of the present mvention, which is connected to LAN 

1 50, monitors the connection pattern of data ports on a switch or patch panel. The hardware 
component comprises a system for detenninmg the connection of data ports, which includes a 
switch or patch panel that is electrically connected to a microprocessor, which continually 
records and updates data port connection information. One such system is described in issued 
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U.S. Patent No. 6,574,586. Otber such hardware systems are known in the art and contemplated 
herein. That is, the present invention is riot limited to any particular hardware component and 
will work equally well with any type of hardware component that can determine the physical 
location of an attempted login. The present invention also contemplates an embodiment with no 
hardware system wherein the data port connection infonnation is manually entered mto the 
database of a microprocessor. 

[0020] The software component of the present invention monitors the activity of security 

server 152, detemines whether the user is authorized to login to the network at the specific login 
location, takes the necessary action vpon determining a user is unauthorized, and mauitains 
records of logm attempts. Security server 152 grants or denies initial access to the networic 
based upon a comparison of the user's entered Usemame and Password and the Usemame and 
Password stored on security server 152 or on another network PC/Server. The software 
component then looks up the data port connection infonnation generated by the hardware 
component to determine if the user has been granted authorization to access the network from 
that particular physical location. If the user is not authorized to access the network from that 
particular physical location, the software component can take various preventive actions, for 
example, instructing the switch or patch panel of the hardware component to shut down the 
user's data port or issuing an alert to the administrative terminal 154. 

[0021] The software component also maintains records of logm attempts, successfiil or 

unsuccessfijl. Specifically, the software component generates a database, or event log, which 
contains login identification mformation, such as, for example, Usemames and Passwords, 
workstation identification information, including IP/MAC address, date and time of each login 
attempt, date and time of each authorized login, login type description, network security agent. 
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dc«^address.ne«™*re30urc»aoce.s«i,.erveridentaicaH<>o,>^ 

^ success „ unsucccs^ number of login aBempts. device identification (..g, host name). 
ffaddress.MACaddress,jackoronfl=.identificati»^jackorouU=.location,por.identifieation. 

and any other dicuit trace infonnation. 

[0022] TT,edatabaseofthehardwecomponentwiUno«bedeacribeding.eaterdetaa 
^ reference to HG. 2. and continuing reference to FIG. 1. THe database of the hard™« 
component includes a table of infonnation. »hich is described below. As appreciated by one 
skilled in a.e art. the following arrangement of infonnation in a table is exemplary and otiaer 
arrangements are wiflun fl« scope of tije present invention. 

[0023] ThedatabaseoftiiehardwarecomponentinclndesaDataPortConnection 
bformationTable 200. as show, in FIG. 2. In general. DataPort Connection Infom>attonTabl. 

200 includes records for each worlcstation. as identified by a Worlcstation ID. Each such record 
inctades tire IP/MAC address and ti,e physical location (such as an office). For example. 
Workstationl01isassocia.edwia.Addresslandl.cation.ll. Workstation 102 is associated 
withAddress2andLocatio„ 112. Workstation 103 is associated with Address 3 and I^on 
113. workstation 104 is associated wiU. Address 4 and Ix,cation 114. The remaining 

workstations are similarly nmnbered as identified in Table 200. 

[0024] Having described the components of tiie present embodiment, tite operation 

a.ereofwilInowbe described. As an initial matter. ti« network manag« provides uso 

identifying infom«tio. to a security server database. More specifically, the network manage, 
providestosec»ri.yserverl52oranotene^vorkPOServer.heUsemameandPasswordof 

eachnet«ork»ser.h.one embodiment ofmepresen.invention.ti«ne.workmanagermanually 
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enters the user-identifying information into the security server database 152 via administration 
tenninal 154. 

[0025] Once a user enters a Usemame and Password into a network computer, the 

entered information is communicated to security server 152 via IAN 150. Security server 152 
receives the infonnation and compares the information stored in a security server database. 
Specifically, security server 152 grants or denies initial network access based upon the entered 
Usemame and Password. 

[0026] Concurrently, the hardware component of the present invention monitors the 

connectron of data ports. Specifically, a system such as that disclosed in issued U.S. Patent No. 
6,574,586 determines the connectivity of each workstation and related equipment and Iheur 
physical location. The microprocessor within the hardware component continuously receives, 
records, and updates a database of the data port connection information. 

[0027] When a user logs onto the network, the software component retrieves information 

identifying the workstation, 101 through 110 of HG. 1. and location. 111 through 120 of FIG. 1, 
from which the user is attempting the logon. The software component records the login 
information and takes prevent action, as described above, if necessary. 

[0028] By way of example, with reference to FIGS. 1 and 2, as described above, a user is 

associated with Workstation 101 and Location 1 1 1. The user enters a Usemame and Password 
and is either granted or denied initial network access by security server 152. According to the 
present invention, ifthe user accesses the network from Workstation 103 m Location 113, the 
software component retrieves the data port connection information from the hardware 
component database, represented by Table 200, to determine if the user is authorized to login to 
the network at that location. While the user may have been granted initial access to the network 
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by entering the correct Usemame and Password, Workstation 103 and Location 1 13 are not 
associated with the user. Thus, the user's access can be disconnected or an alert message can be 
issued to administrative terminal 154. Additionally, the software component records information 
pertaining to this failed login e\'ent. 

[0029] In anoAer example. Workstations 101 through 1 10 can be laptop computers, ot 

otherwise portable workstations, and therefore can be used at various locations. As described 
above, a user is associated with Workstation 101 and Location 111. According to the present 
invention, if the user accesses the network at Workstation 101 in Location 1 13, the software 
coiiiponent retrieves the data port cormection information from the hardware component 
database, represented by Table 200, to determine if the user is authorized to login to the network 
at that location. While the user may have been granted mitial access to the networic by entering 
the correct Usemame and Password, and although Workstation 101 is associated with the user. 
Location 1 13 is not associated with the user. Thus, the user's access can be disconnected or an 
alert message can be issued to administrative terminal 1 54. Additionally, the software 
component records information pertaining to this failed logm evMit. 

[0030] In an alternate embodiment, ihe software component of Ihe present invention can 

also monitor Usemames and Passwords in order to grant or deny initial access to the network. 
[0031] While there have been shown and described and pointed out novel features of the 

present invention as applied to preferred embodunents thereof, it will be understood that various 
omissions and substitutions and changes in the form and details of the disclosed invention may 
be made by those skilled in the art without departing from the spirit of the invention. It is the 
intention, tiierefore, to be limited only as indicated by the scope of the claims appended hereto. 
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[0032] It is also to be mderstood that the foUoAving Claims a« intended to cover 

generic and specific features of the invention herein described and all statements of Ihe scope of 
the invention which, as a matter of language, might be said to fall there between. 



